Jan 23, 2026 12:40:00

cURL suspends bug bounty program due to a series of poor-quality AI vulnerability reports

The development team of the open-source network tool '

cURL ' has been running a 'bug bounty program' since 2019, which pays rewards to researchers who discover security vulnerabilities. However, in recent years, the cURL security team has announced that it will discontinue the bug bounty program due to the large number of low-quality vulnerability reports generated by AI.

curl.se/.well-known/security.txt
https://curl.se/.well-known/security.txt

Curl ending bug bounty program after flood of AI slop reports | SOC Defenders
https://www.socdefenders.ai/item/708f48fb-c756-431f-bf85-9d4be11405cf

Curl ending bug bounty program after flood of AI slop reports
https://www.bleepingcomputer.com/news/security/curl-ending-bug-bounty-program-after-flood-of-ai-slop-reports/

cURL is a command-line utility that can transfer data over various protocols and is widely used for downloading data. To maintain security, the cURL development team operated bug bounty programs on platforms such as HackerOne and Internet Bug Bounty , offering rewards to those who disclosed security vulnerabilities in cURL and the libcurl library, which is used to incorporate cURL into applications.

However, Daniel Stenberg, founder and lead developer of curl, said that curl's bug bounty program has seen a significant increase in invalid reports, many of which are sloppy reports generated by AI. Stenberg said that while there have been cases in the past where AI has been used to find real bugs, the traditional structure of incentivizing bug bounties is difficult to sustain as long as low-quality reports generated by AI continue to be generated.

In a January 16, 2026 post , Stenberg wrote, 'This week, we received seven Hackerone issues within 16 hours. Some of them were genuine bugs, which took a considerable amount of time to resolve, but they were simply bugs and not vulnerabilities eligible for the bounty program. Ultimately, we have processed 20 reports so far this year, and have concluded that none of them were vulnerabilities.' He went on to describe the problem of so-called ' AI slop ,' in which AI reports simple bugs as if they were vulnerabilities. These AI slop reports may appear plausible at first glance, but in reality, they are technically meaningless or unreproducible, wasting security personnel's time.

Stenberg announced that the low-quality reports were placing a strain on the curl security team, so the company decided to discontinue the bug bounty program.

The cURL project's 'security.txt' document, which contains policy and contact information for vulnerability reporting, previously provided security researchers and white hat hackers with information on where and how to report vulnerabilities. However, at the time of writing, the document states that the project does not have a bounty program, stating, 'We will not provide any rewards or other compensation for reported information.' It also notes that sending low-quality reports, such as AI slop, could result in punishment, stating, 'If you waste our time with nonsense, we will ban you and publicly ridicule you.'

Vulnerability reports for cURL will be accepted on HackerOne until January 31, 2026, and reports in progress at that time will continue to be processed. After February 1, HackerOne will no longer accept new submissions, and the cURL Security Team encourages users to report vulnerabilities directly through GitHub.